In some data processing methods, in particular in the framework of cryptographic processing of data, there is used, within the processing algorithms, data that must remain secret (such as cryptographic keys, for example) to ensure that the system operates with the required security. This type of method is then the target of attacks by malicious users who seek to thwart the security of the system.
Among these attacks, there are known attacks of the fault-injection type that consist in disturbing all or part of the normal execution of the data processing method (generally implemented by the execution of a program in a microprocessor) in order to obtain, on exit from the method, data different from that normally expected but revealing information on the secret data used in the algorithm (the contrary of what is expected in fault-free execution of the program).
Thus to fight against this type of attack complementary steps have been added (such as the reiteration of calculations already effected or calculation of the decrypted data item, for example) in order to verify fault-free execution of the data processing method, as described for example in the patent applications WO 2005/088895, WO 2006/103341 and FR 2 919 739.
In the latter patent application, a data item resulting from a first iteration of the cryptographic calculation is stored for the duration of a second iteration of the same calculation. Alternatively, a decryption calculation is performed on the data item resulting from the first iteration to recover, a priori, the initial data item.
A comparison is then effected either between the results of the two iterations or between compressed versions of the initial data item and the decrypted data item to detect any fault during the execution.
However, these solutions have a few drawbacks.
Among other things, this duplication of operations (double iteration or encryption/decryption) leads to a high overcost in calculation time that can be prejudicial for real-time processing.
Moreover, these solutions do not protect systems from fault-injection attacks effected symmetrically on the two iterations of the same calculation. Such attacks lead to identical results for the two iterations and thus to a positive comparison.
Finally, these techniques remain generic because they apply to the whole of a cryptographic algorithm, such as the DES (Data Encryption Standard) algorithm, without taking account of the transformations that constitute the algorithm.